← Back to context

Comment by marginalia_nu

3 years ago

> Each port is also limited to a single machine, so you'd have to choose a different port for a different machine.

I would probably set up one gateway machine, and then from that machine log into other machines on the network; instead of exposing them all to the Internet. SSH allows you to chain logins thus:

  ssh -A -t user@public-gateway ssh -A -t user2@server-behind-dmz

It's a lot less work to lock down one machine really tight enough to expose them to the public Internet than to do it on the entire network.

9 comments

marginalia_nu

Reply
jgtrosh  3 years ago

Use -J or ProxyJump in .SSH/config for a modern equivalent

  • lxgr  3 years ago

    Yes, please only use this!

    The big advantage of this (over ssh user@host1 ssh user@host2) is that the jump host only sees the encrypted inner connection – it doesn't get access to the client's SSH agent/keychain, nor to the target host (host2) or data transmitted over the connection.

neurostimulant  3 years ago

Unfortunately it doesn't work if you're behind a NAT due to shitty ISP, like me. I use AutoSSH instead to expose my local machine's ssh port on a high port in the gateway machine: `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain`

ServerAliveInterval 30 is important because my ISP often drop idle connections, often not even 1 minute idle. Can probably tweak it to listen to a localhost only port instead of exposing them to internet.

trinovantes  3 years ago

I use this alias in my .ssh/config to connect through a gateway machine:

    Host myserver
        User user
        ProxyCommand ssh -q public-server nc -q0 private-server 22

I can't remember what these flags actually do but they seem to get the job done

  • taftster  3 years ago

    ProxyJump is slightly preferred in modern SSH. Does what you're doing, but with simpler syntax. Take a look.